Unload automatic empty zones which are super/sub/equal domain as forward zone.
It allows queries to leak to the public Internet if:
a) The query name does not belong to forwarded domain:
- empty zone = 10.in-addr.arpa
- forward zone = 1.10.in-addr.arpa
- qname = 2.10.in-addr.arpa
b) Forward zone is a superdomain but
it failed and user configured policy != only.
Limitation:
Unloading logic is triggered only by zones in LDAP + global forwarder in
named.conf. BIND does not have an API to iterate over complete list
of forwarders configured from other sources (namely named.conf).
This patch unloads empty zones without regard to forwarding policy.
Removed empty zones are not loaded back when the conflicting empty zone
is removed from LDAP. This was done to simplify implementation.
https://fedorahosted.org/bind-dyndb-ldap/ticket/160